Showing with 367 additions and 49 deletions.
  1. +6 −2 .devcontainer/README.md
  2. +1 −1 .github/workflows/auto_release.yml
  3. +1 −0 .sync.yml
  4. +16 −1 CHANGELOG.md
  5. +24 −15 Gemfile
  6. +32 −4 README.md
  7. +56 −22 REFERENCE.md
  8. +1 −0 files/extend.sh
  9. +4 −4 metadata.json
  10. +8 −0 plans/extend_ca_cert.pp
  11. +16 −0 tasks/check_crl_cert.json
  12. +19 −0 tasks/check_crl_cert.sh
  13. +28 −0 tasks/crl_truncate.json
  14. +155 −0 tasks/crl_truncate.sh
8 changes: 6 additions & 2 deletions .devcontainer/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,18 @@ https://github.com/microsoft/vscode-dev-containers/tree/v0.140.1/containers/pupp

// Set *default* container specific settings.json values on container create.
"settings": {
"terminal.integrated.shell.linux": "/bin/bash"
"terminal.integrated.profiles.linux": {
"bash": {
"path": "bash",
}
}
},

// Add the IDs of extensions you want installed when the container is created.
"extensions": [
"puppet.puppet-vscode",
"rebornix.Ruby"
]
],

// Use 'forwardPorts' to make a list of ports inside the container available locally.
"forwardPorts": [],
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/auto_release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
persist-credentials: false

- name: "PDK Release prep"
uses: docker://puppet/iac_release:ci
uses: docker://puppet/pdk:latest
with:
args: 'release prep --force'
env:
Expand Down
1 change: 1 addition & 0 deletions .sync.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Gemfile:
optional:
":development":
- gem: github_changelog_generator
version: '= 1.15.2'
- gem: 'octokit'
version:
'= 4.21.0'
17 changes: 16 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,22 @@

All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).

## [v3.3.0](https://github.com/puppetlabs/ca_extend/tree/v3.3.0) (2023-01-26)

[Full Changelog](https://github.com/puppetlabs/ca_extend/compare/v3.2.0...v3.3.0)

### Changed

- Remove harmful terms from ca\_extend [\#40](https://github.com/puppetlabs/ca_extend/pull/40) ([gavindidrichsen](https://github.com/gavindidrichsen))

### Added

- \(SUP-3365\) Add crl\_truncate [\#72](https://github.com/puppetlabs/ca_extend/pull/72) ([elainemccloskey](https://github.com/elainemccloskey))

### Fixed

- \(SUP-3048\) Do not print cert contents [\#71](https://github.com/puppetlabs/ca_extend/pull/71) ([m0dular](https://github.com/m0dular))

## [v3.2.0](https://github.com/puppetlabs/ca_extend/tree/v3.2.0) (2022-06-29)

[Full Changelog](https://github.com/puppetlabs/ca_extend/compare/v3.1.0...v3.2.0)
Expand Down Expand Up @@ -33,7 +49,6 @@ All notable changes to this project will be documented in this file. The format

### Changed

- Remove harmful terms from ca\_extend [\#40](https://github.com/puppetlabs/ca_extend/pull/40) ([gavindidrichsen](https://github.com/gavindidrichsen))
- \(SUP-2497\) Remove EOL platforms and versions [\#39](https://github.com/puppetlabs/ca_extend/pull/39) ([m0dular](https://github.com/m0dular))

## [v2.1.0](https://github.com/puppetlabs/ca_extend/tree/v2.1.0) (2021-08-02)
Expand Down
39 changes: 24 additions & 15 deletions Gemfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,24 +13,33 @@ def location_for(place_or_version, fake_version = nil)
end
end

ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
minor_version = ruby_version_segments[0..1].join('.')

group :development do
gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 2.8.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "puppet-module-posix-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
gem "puppet-module-posix-dev-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
gem "puppet-module-win-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-module-win-dev-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "voxpupuli-puppet-lint-plugins", '>= 3.0', require: false, platforms: [:ruby]
gem "github_changelog_generator", require: false
gem "octokit", '= 4.21.0', require: false
gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.5.1', require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.6.1', require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.6.3', require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "voxpupuli-puppet-lint-plugins", '~> 3.1', require: false
gem "facterdb", '~> 1.18', require: false
gem "metadata-json-lint", '>= 2.0.2', '< 4.0.0', require: false
gem "puppetlabs_spec_helper", '>= 3.0.0', '< 5.0.0', require: false
gem "rspec-puppet-facts", '~> 2.0', require: false
gem "codecov", '~> 0.2', require: false
gem "dependency_checker", '~> 0.2', require: false
gem "parallel_tests", '~> 3.4', require: false
gem "pry", '~> 0.10', require: false
gem "simplecov-console", '~> 0.5', require: false
gem "puppet-debugger", '~> 1.0', require: false
gem "rubocop", '= 1.6.1', require: false
gem "rubocop-performance", '= 1.9.1', require: false
gem "rubocop-rspec", '= 2.0.1', require: false
gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "github_changelog_generator", '= 1.15.2', require: false
gem "octokit", '= 4.21.0', require: false
end
group :system_tests do
gem "puppet-module-posix-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
gem "puppet-module-win-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet_litmus", '< 1.0.0', require: false, platforms: [:ruby]
gem "serverspec", '~> 2.41', require: false
end

puppet_version = ENV['PUPPET_GEM_VERSION']
Expand Down
36 changes: 32 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,17 @@ After the CA certificate has been extended, there are three methods for distribu
1. Manually deleting `ca.pem` on agents and letting them download that file as part of the next Puppet agent run. The agent will download that file only if it is absent, so it must be deleted to use this method.
1. Using a Puppet file resource to manage `ca.pem`. _Note: This method is only possible if the CA certificate has not yet expired because Puppet communications depend upon a valid CA certificate._

There are also two complementary tasks to check the expiration date of the CA certificate or any agent certificates.
There are also complementary tasks to check the expiration date of the CA certificate, agent certificates, and the CA CRL.

* `ca_extend::check_ca_expiry`
* Checks if the CA certificate expires by a certain date. Defaults to three months from today.
* `ca_extend::check_agent_expiry`
* Checks if any agent certificate expires by a certain date. Defaults to three months from today.

* `ca_extend::check_crl_expiry`
* Checks if the CA crl on the primary server has expired
* `ca_extend::crl_truncate`
* Will truncate and regenerate the CA CRL, this should only be run if the CRL is expired

** If the CA certificate is expiring or expired, you must extend it as soon as possible. **

## Setup
Expand Down Expand Up @@ -151,6 +155,8 @@ First, check the expiration of the Puppet agent certificate by running the follo

If, and only if, the `notAfter` date printed has already passed, then the primary Puppet server certificate has expired and must be cleaned up before the CA can be regenerated. This can be accomplished by passing `regen_primary_cert=true` to the `ca_extend::extend_ca_cert` plan.

> Note: This plan will also run the `ca_extend::check_crl_cert` task and if the crl is expired, will automatically resolve the issue by running the `ca_extend::crl_truncate` task.
```bash
bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true --targets <primary_fqdn> compilers=<comma_separated_compiler_fqdns> --run-as root
```
Expand Down Expand Up @@ -202,7 +208,7 @@ puppet agent -t
#### 3. Using a Puppet file resource to manage `ca.pem`


This example manages `ca.pem` on Windows and \*nix nodes with the contents of `ca.pem` on the puppetserver. _Note: This method is only possible if the CA certificate has not yet expired because Puppet communications depend upon a valid CA certificate._
You may add this code to the catalog received by your agent nodes; the code manages `ca.pem` on Windows and \*nix nodes with the contents of `ca.pem` on the compiling server (primary server or compiler). The code will not work with a serverless approach such as `puppet apply`. _Note: This method is only possible if the CA certificate has not yet expired because Puppet communications depend upon a valid CA certificate._

```
$localcacert = $facts['os']['family'] ? {
Expand All @@ -217,7 +223,7 @@ This example manages `ca.pem` on Windows and \*nix nodes with the contents of `c

### ca_extend::check_ca_expiry Task

You can use this task to check the ca cert expiry on the `primary` mainly but you can also use it to check that a remote CA cert has been updated after using any means to update an expired CA cert on an agent.
You can use this task to check the CA cert expiry on the `primary` mainly but you can also use it to check that a remote \*nix node's CA cert has been updated after using any means to distribute the new CA certificate.

```bash
bolt task run ca_extend::check_ca_expiry --targets <TargetSpec>
Expand Down Expand Up @@ -286,3 +292,25 @@ Once you've done that, it's just a matter of delivering the new CA certificate t
If you are a PE user and need support using this module or are encountering issues, our Support team would be happy to help you resolve your issue and help reproduce any bugs. Just raise a ticket on the [support portal](https://support.puppet.com/hc/en-us/requests/new).

If you have a reproducible bug or are a community user you can raise it directly on the Github issues page of the module [here.](https://github.com/puppetlabs/ca_extend/issues) We also welcome PR contributions to improve the module. Please see further details about contributing [here](https://puppet.com/docs/puppet/7.5/contributing.html#contributing_changes_to_module_repositories)


---

# Supporting Content

### Articles

The [Support Knowledge base](https://support.puppet.com/hc/en-us) is a searchable repository for technical information and how-to guides for all Puppet products.

This Module has the following specific Article(s) available:

1. [Check and fix the expiry date for your CA certificate in Puppet Enterprise](https://support.puppet.com/hc/en-us/articles/360022508353)


### Videos

The [Support Video Playlist](https://youtube.com/playlist?list=PLV86BgbREluWKzzvVulR74HZzMl6SCh3S) is a resource of content generated by the support team


---

78 changes: 56 additions & 22 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,18 @@

* [`check_agent_expiry`](#check_agent_expiry): Check the expiration date of all agent certificates
* [`check_ca_expiry`](#check_ca_expiry): Check the expiration date of a CA certificate
* [`check_crl_cert`](#check_crl_cert): Check the expiration date of the primary server crl
* [`check_primary_cert`](#check_primary_cert): Check the expiration date of the primary server cert
* [`configure_primary`](#configure_primary): Backup ssldir and copy newly generated CA certificate
* [`crl_truncate`](#crl_truncate): Truncate the CRL issued by the Puppet CA
* [`extend_ca_cert`](#extend_ca_cert): Extend CA certificate expiry date

### Plans

* [`ca_extend::extend_ca_cert`](#ca_extendextend_ca_cert): Plan that extends the Puppet CA certificate and configures the primary Puppet server
* [`ca_extend::extend_ca_cert`](#ca_extend--extend_ca_cert): Plan that extends the Puppet CA certificate and configures the primary Puppet server
and Compilers to use the extended certificate.
* [`ca_extend::get_agent_facts`](#ca_extendget_agent_facts): A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.
* [`ca_extend::upload_ca_cert`](#ca_extendupload_ca_cert): A plan to upload a given CA certificate to a number of Puppet agent nodes
* [`ca_extend::get_agent_facts`](#ca_extend--get_agent_facts): A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.
* [`ca_extend::upload_ca_cert`](#ca_extend--upload_ca_cert): A plan to upload a given CA certificate to a number of Puppet agent nodes

## Tasks

Expand Down Expand Up @@ -55,6 +57,12 @@ Data type: `Optional[String[1]]`

YYYY-MM-DD date to test whether the certificate will expire by. Defaults to three months from today

### <a name="check_crl_cert"></a>`check_crl_cert`

Check the expiration date of the primary server crl

**Supports noop?** false

### <a name="check_primary_cert"></a>`check_primary_cert`

Check the expiration date of the primary server cert
Expand All @@ -81,6 +89,32 @@ Data type: `Boolean`

Flag to regerate the primary server's certificate. Set to true to perform the regeneration

### <a name="crl_truncate"></a>`crl_truncate`

Truncate the CRL issued by the Puppet CA

**Supports noop?** false

#### Parameters

##### `ssldir`

Data type: `Optional[String[1]]`

The location of the Puppet ssl dir

##### `crl_expiration_days`

Data type: `Integer[1]`

The number of days until the new CRL expires. Defaults to 15 years (5475 days)

##### `run_puppet_agent`

Data type: `Boolean`

Whether to run the Puppet agent after creating the CRL. Defaults to true

### <a name="extend_ca_cert"></a>`extend_ca_cert`

Extend CA certificate expiry date
Expand All @@ -89,7 +123,7 @@ Extend CA certificate expiry date

## Plans

### <a name="ca_extendextend_ca_cert"></a>`ca_extend::extend_ca_cert`
### <a name="ca_extend--extend_ca_cert"></a>`ca_extend::extend_ca_cert`

Plan that extends the Puppet CA certificate and configures the primary Puppet server
and Compilers to use the extended certificate.
Expand All @@ -112,75 +146,75 @@ bolt plan run ca_extend::extend_ca_cert --targets <primary_fqdn> --run-as root

The following parameters are available in the `ca_extend::extend_ca_cert` plan:

* [`targets`](#targets)
* [`compilers`](#compilers)
* [`ssldir`](#ssldir)
* [`regen_primary_cert`](#regen_primary_cert)
* [`targets`](#-ca_extend--extend_ca_cert--targets)
* [`compilers`](#-ca_extend--extend_ca_cert--compilers)
* [`ssldir`](#-ca_extend--extend_ca_cert--ssldir)
* [`regen_primary_cert`](#-ca_extend--extend_ca_cert--regen_primary_cert)

##### <a name="targets"></a>`targets`
##### <a name="-ca_extend--extend_ca_cert--targets"></a>`targets`

Data type: `TargetSpec`

The target node on which to run the plan. Should be the primary Puppet server

##### <a name="compilers"></a>`compilers`
##### <a name="-ca_extend--extend_ca_cert--compilers"></a>`compilers`

Data type: `Optional[TargetSpec]`

Optional comma separated list of compilers to upload the certificate to

Default value: ``undef``
Default value: `undef`

##### <a name="ssldir"></a>`ssldir`
##### <a name="-ca_extend--extend_ca_cert--ssldir"></a>`ssldir`

Data type: `Any`

Location of the ssldir on disk

Default value: `'/etc/puppetlabs/puppet/ssl'`

##### <a name="regen_primary_cert"></a>`regen_primary_cert`
##### <a name="-ca_extend--extend_ca_cert--regen_primary_cert"></a>`regen_primary_cert`

Data type: `Any`

Whether to also regenerate the agent certificate of the primary Puppet server

Default value: ``false``
Default value: `false`

### <a name="ca_extendget_agent_facts"></a>`ca_extend::get_agent_facts`
### <a name="ca_extend--get_agent_facts"></a>`ca_extend::get_agent_facts`

A plan to work around BOLT-1168 so that one agent failing in apply_prep won't cause the whole plan to fail.

#### Parameters

The following parameters are available in the `ca_extend::get_agent_facts` plan:

* [`nodes`](#nodes)
* [`nodes`](#-ca_extend--get_agent_facts--nodes)

##### <a name="nodes"></a>`nodes`
##### <a name="-ca_extend--get_agent_facts--nodes"></a>`nodes`

Data type: `TargetSpec`

The targets to run apply_prep on

### <a name="ca_extendupload_ca_cert"></a>`ca_extend::upload_ca_cert`
### <a name="ca_extend--upload_ca_cert"></a>`ca_extend::upload_ca_cert`

A plan to upload a given CA certificate to a number of Puppet agent nodes

#### Parameters

The following parameters are available in the `ca_extend::upload_ca_cert` plan:

* [`nodes`](#nodes)
* [`cert`](#cert)
* [`nodes`](#-ca_extend--upload_ca_cert--nodes)
* [`cert`](#-ca_extend--upload_ca_cert--cert)

##### <a name="nodes"></a>`nodes`
##### <a name="-ca_extend--upload_ca_cert--nodes"></a>`nodes`

Data type: `TargetSpec`

The targets to upload the certificate to

##### <a name="cert"></a>`cert`
##### <a name="-ca_extend--upload_ca_cert--cert"></a>`cert`

Data type: `String`

Expand Down
1 change: 1 addition & 0 deletions files/extend.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ EOT
new_ca_cert="${ca_dir}/ca_crt-expires-${end_date}.pem"

yes | "${PUPPET_BIN}/openssl" ca \
-notext \
-in "${workdir}/ca_csr.pem" \
-keyfile "${ca_key}" \
-config "${workdir}/openssl.cnf" \
Expand Down
8 changes: 4 additions & 4 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppetlabs-ca_extend",
"version": "3.2.0",
"version": "3.3.0",
"author": "Adrian Parreiras Horta",
"summary": "A set of Bolt Plans and Tasks to extend the CA cert in Puppet Enterprise",
"license": "GPL-2.0-only",
Expand Down Expand Up @@ -53,7 +53,7 @@
"version_requirement": ">= 6.16.0 < 8.0.0"
}
],
"pdk-version": "2.3.0",
"template-url": "https://github.com/puppetlabs/pdk-templates#main",
"template-ref": "heads/main-0-gf3911d3"
"pdk-version": "2.6.1",
"template-url": "https://github.com/puppetlabs/pdk-templates#2.7.1",
"template-ref": "tags/2.7.1-0-g9a16c87"
}
Loading